Cyber-Criminals Plan Massive Trojan Attack on 30 Banks

A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter.

This site may earn affiliate commissions from the links on this page. Terms of use.

Banks beware: A large-scale coordinated Trojan attack to launch fraudulent wire transfers may be headed your way. And it has nothing to do with the recent wave of denial-of-service attacks.

A group of cybercriminals appear to be actively recruiting up to 100 botmasters to participate in a complicated man-in-the-middle hijacking scam using a variant of the Gozi Trojan, RSA's FraudAction research team said in a blog post yesterday. The team put together the warning after weeks of monitoring underground chatter.

As many as 30 financial institutions in the United States may be targeted in this "blitzkrieg-like" series, said Mor Ahuvia, a cyber-crime communications specialist at RSA FraudAction. It's possible these well-known and high-profile institutions were selected, not because of "anti-American motives," but simply because American banks are less likely to have deployed two-factor authentication for private banking consumers, Ahuvia said. European banks generally require all consumers to use two-factor for wire transfers, making it harder to launch a man-in-the-middle session hijacking attack.

"A cyber gang has recently communicated its plans to launch a Trojan attack spree on 30 American banks as part of a large-scale orchestrated crimeware campaign," Ahuvia said.

Potential targets and relevant law enforcement agencies have already been notified, RSA said.

RSA FraudAction was not sure how far along the recruitment campaign has gone, or when the attacks are expected. While it's possible revealing the gang's plans may cause the criminals to scuttle their operation, it may just cause the group to modify the attack.

"There are so many Trojans available and so many points of failure in security that could go wrong, that they’d still have some chance of success," Ahuvia said.

Anatomy of the AttackThe proposed cyber-attack consists of several parts. The first part involves infecting victim computers with the variant of the Gozi Trojan, which RSA has dubbed Gozi Prinimalka, Once the computer has been compromised, it will communicate with the botmaster's computer, which has a "virtual machine syncing module," capable of duplicating the victim's PC settings, such as the time zone, screen resolution, cookies, browser type, and installed software IDs, into a virtual machine, RSA said.

When the attacker accesses victim accounts using the cloned system, the virtual machine appears to be a legitimate system using the last-known IP address for the victim's computer, RSA said. This cloning module would make it easy for the attackers to log in and initiate wire transfers. The attackers also plan to use VoIP phone flooding software to prevent victims from receiving confirmation calls or texts verifying online account transfers and activity, RSA said.

The recruits have to make an initial investment in hardware and agree to training on how to deploy the Gozi Trojan, Ahuvia wrote. They will receive executable files, but not the compilers used to create the Trojan. In return, the new partners in this venture will receive a cut of the profits.

Trojan Behind Previous AttacksThe Trojan is not as well known as others, such as SpyEye or Citadel, nor is it as widely available, Ahuvia said. Its relative obscurity means antivirus and security tools are less likely to flag it as malicious.

RSA has linked the Gozi Trojan to previous attacks responsible for more than $5 million in losses in the United States in 2008. The researchers have linked the Trojan to a group called the HangUp Team, and speculated the same group was behind this latest campaign.

The way the attack is structured, it is very likely the targeted institutions won't even realize they'd been affected till at least a month or two after the attacks. "The gang will set a pre-scheduled D-day to launch its spree, and attempt to cash out as many compromised accounts as possible before its operations are ground to a halt by security systems," Ahuvia said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »